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Abstract 


A fundamental problem in designing secure multi-party protocols is how to deal with adaptive ad- 
versaries (i.e., adversaries that may choose the corrupted parties during the course of the computation), 
in a setting where the channels are insecure and secure communication is achieved by cryptographic 
primitives based on the computational limitations of the adversary. 

It turns out that the power of an adaptive adversary is greatly affected by the amount of information 
gathered upon the corruption of a party. This amount of information models the extent to which 
uncorrupted parties are trusted to carry out instructions that cannot be externally verified, such as 
erasing records of past configurations. It has been shown that if the parties are trusted to erase such 
records, then adaptively secure computation can be carried out using known primitives. However, this 
total trust in parties may be unrealistic in many scenarios. An important question, open since 1986, is 
whether adaptively secure multi-party computation can be carried out in the “insecure channel” setting, 
even if no party is thoroughly trusted. 

Our main result is an affirmative resolution of this question for the case where even uncorrupted 
parties may deviate from the protocol by keeping record of all past configurations. We first propose a 
novel property of encryption protocols and show that if an encryption protocol enjoying this property 
is used, instead of a standard encryption scheme, then known constructions become adaptively secure. 
Next we construct, based on the standard RSA assumption, an encryption protocol that enjoys this 
property. 

We also consider parties that, even when uncorrupted, may internally deviate from their protocols 
in arbitrary ways, as long as no external test can detect faulty behavior. We show that in this case no 
non-trivial protocol can be proven adaptively secure using black-box simulation. This holds even if the 
communication channels are totally secure. 


*TOC/CIS groups, LCS, MIT. canetti@theory.1cs.mit.edu. 
' Department of Computer 
Science and Applied Math,Weizmann Institute of Science, Rehovot, Israel. {feige,oded,naor}@wisdom.weizmann.ac.il. 


1 Introduction 


Consider a set of parties who do not trust each other, nor the channels by which they communicate. Still, 
the parties wish to correctly compute some common function of their local inputs, while keeping their local 
data as private as possible. This, in a nutshell, is the problem of secure multi-party computation. The 
parties’ distrust in each other and in the network is usually modeled via an adversary that corrupts some 
of the parties. Once a party is corrupted it follows the instructions of the adversary. In particular, all the 
information known to this party becomes known to the adversary. 

An important parameter, which is the focus of this work, is the way in which the corrupted parties 
are chosen. In the case of non-adaptive adversaries, the set of corrupted parties is arbitrary, but fixed 
before the computation starts. (Still, the uncorrupted parties do not know the identities of the corrupted 
parties.) A more general case is where the adversary chooses to corrupt parties during the course of the 
computation, based on the information gathered so far. We call such adversaries adaptive. 

The difference between adaptive and non-adaptive adversaries may be best demonstrated via an exam- 
ple. Consider the following secret sharing protocol, run in the presence of an adversary that may corrupt 
t = O(n) out of the n parties: A dealer D chooses at random a small set $ of m = \/t parties, and shares 
its secret among these parties using an m-out-of-m sharing scheme. In addition D publicizes the set S. 
Intuitively, this scheme lacks in security since S is public and |.$| < t. Indeed, an adaptive adversary can 
easily find D’s secret, without corrupting D, by corrupting the parties in S. However, any non-adaptive 
adversary that does not corrupt D learns D’s secret only if S happens to be identical to the pre-defined set 
of corrupted parties. This happens only with exponentially small probability. Consequently, this protocol 
is secure in the presence of non-adaptive adversaries. 

Protocols for securely computing any function, in several computation models, have been known for a 
while: Goldreich, Micali and Wigderson have shown how to securely compute any function in the compu- 
tational setting [GMW]. (In the computational setting all the communication between the parties is seen 
by the adversary. All parties, as well as the adversary, are restricted to probabilistic polynomial time). 
Ben-Or, Goldwasser and Wigderson, and independently Chaum, Crepeau and Damgard, have shown how 
to securely compute any function in the secure channels setting [BGW, CCD]. (In the secure channels 
setting the adversary cannot eavesdrop on the communication between uncorrupted parties, and is allowed 
unlimited computational power.) These constructions can be shown secure in the presence of non-adaptive 
adversaries. In contrary to folklore beliefs, problems are encountered when attempting to prove adaptive 
security of protocols, even in the secure channels setting. Additional problems are encountered in the 
computational setting. Demonstrating, clarifying, and (partially) solving these problems is the focus of 
this work. 

We first pose the following question: To what extent can uncorrupted parties be trusted to carry out 
instructions that cannot be externally verified, such as erasing local data, or making random choices? This 
question is intimately related to the power of an adaptive adversary, in both of the above settings, since 
the adversary may gather additional information when corrupting parties that have locally deviated from 
the protocol (say, by not erasing data that is supposed to be erased). If uncorrupted parties are trusted to 
carry out even unverifiable instructions such as erasing local data then adaptively secure computation can 
be carried out using known primitives [F, BH]. However, this trust may be unrealistic in many scenarios. 
We thus consider parties that, even when uncorrupted, internally deviate slightly from their protocols. We 
call such parties semi-honest. Several degrees of internal deviation from the protocol are examined with 
the main focus on parties which follow their protocol with the exception that they keep record of the entire 
computation. We seek protocols that are secure even if the uncorrupted parties are semi-honest rather 
than honest. 


We discuss the problems encountered in the secure channels setting, and state the amount of internal 
deviation from the protocol under which adaptively secure protocols are known to exist. (In particular, 
under these conditions the [BGW, CCD] protocols can be proven adaptively secure.) 

Finally we concentrate on the computational setting, and on semi-honest parties that follow their 
protocols with the exception that no internal data is ever erased. Is adaptively secure computation possible 
in this scenario? This question has remained open since the result of [GMW] (even for the case in which 
the adversary only gathers information from corrupted parties and does not make them deviate any further 
from the protocol). 

We answer this question in the affirmative. The problems encountered, and our solution, are presented 
via the following transformation. It is a folklore belief that any secure protocol in the secure channels setting 
can be transformed into a secure protocol in the computational setting, by encrypting each message using 
a standard semantically secure encryption scheme. This belief can indeed be turned into a proof, provided 
that only non-adaptive adversaries are considered. Trying to prove this belief in the presence of adaptive 
adversaries encounters major difficulties. We show how these difficulties are overcome if a novel encryption 
protocol is used, instead of standard encryption. We call such encryption protocols non-committing. 
(Standard encryption schemes are not non-committing. ) 

Non-committing encryption can be roughly described as follows. Traditional encryption schemes have 
the extra property that the ciphertext may serve as a commitment of the sender to the encrypted data. That 
is, suppose that after seeing the ciphertext, a third party requests the sender to reveal the encrypted data, 
and show how it was encrypted and decrypted. Using traditional encryption schemes it may be infeasible 
(or even impossible) for the sender to demonstrate that the encrypted data was any different than what was 
indeed transmitted. (In fact, many times encryption is explicitly or implicitly used for commitment.) In a 
non-committing encryption scheme the ciphertext cannot be used to commit the sender (or the receiver) 
to the transmitted data. That is, a non-committing encryption protocol allows a simulator to generate 
dummy ciphertexts that look like genuine ones, and can be later “opened” as encryptions of either 1 or 0, 
at wish. We note that communication over absolutely secure channels is trivially non-committing, since 
the third party sees no “ciphertext”. 

We present several constructions of non-committing encryption protocols. All constructions consist of 
a ‘key distribution’ stage which is independent of the transmitted data, followed by a single message sent 
from the sender to the receiver. In our most general construction, based on a primitive called common- 
domain trapdoor system, the key distribution stage requires participation of all parties (and is valid as long 
as at least one party remains uncorrupted). We also present two alternative constructions, based on the 
RSA and the Diffie-Hellman assumptions respectively, where the key distribution stage consists of one 
message sent from the receiver to the sender. 


Related work. Independently of our work, Beaver has investigated the problem of converting, in the 
computational setting, protocols which are adaptively secure against eavesdropping adversaries into proto- 
cols adaptively secure against Byzantine adversaries [Be2]. No protocols adaptively secure against eaves- 
dropping adversaries were known prior to our work, nor are such protocols suggested in [Be2]. We believe 
that the problem of adaptive security retains its difficulty even if only eavesdropping adversaries are con- 
sidered. Following our work, and motivated by the “Incoercible Voting” Problem, Canetti et. al. [CDNO] 
introduced a stronger type of non-committing encryption protocol as well as an implementation of it based 
on any trapdoor permutation. 


Organization. The rest of this paper is organized as follows. In Section 2 we discuss the problem of 
adaptive security and our solution to it in more detail. We keep the presentation informal throughout this 


section. Precise definitions are given in Section 3. Our constructions for the non-erasing and honest-looking 
cases are presented in Sections 4 and 5, respectively. 


2 Semi-honesty and adaptive security 


In this section we discuss the problem of adaptive security and our solution to it in more detail. We keep the 
presentation informal throughout this section. Precise definitions are given in Section 3. In Subsection 2.1 
we discuss the question of what can be expected from an honest party, and present several notions of semi- 
honest parties. In Subsection 2.2 we describe the problems encountered when trying to prove adaptive 
security of protocols in the secure channels setting, and state existing solutions. In Subsection 2.3 we 
present the additional problems encountered when trying to prove adaptive security of protocols in the 
computational setting, and sketch our solution. 


2.1 Semi-honest parties 


The problem of adaptively secure computation is intimately related to the following question: To what 
extent can uncorrupted parties be trusted to carry out instructions that cannot be externally verified, 
such as erasing local data, or using randomness as instructed? Honest parties internally deviate from 
their protocol in many real-life scenarios, such as users that keep record of their passwords, stock-market 
brokers that keep records of their clients’ orders, operating systems that “free” old memory instead of 
erasing it or take periodic snapshots of the memory (for error recovery purposes), and computers that 
use pseudorandom generators as their source of randomness instead of truly random bits. Consider for 
example a protocol in which party A is instructed to choose a random string r for party B, hand r to B, 
and then to erase r from its own memory. Can B be certain that A no longer knows r? Furthermore, can 
A now convince a third party (or an adversary that later decides to corrupt A) that he no longer knows r? 

To address this issue we introduce the notion of a semi-honest party. Such a party “appears as honest” 
(i.e., seems to be following its protocol) from the point of view of an outside observer; however, internally it 
may somewhat deviate from the protocol. For instance, a semi-honest party may fail to erase some internal 
data, or use randomness not as instructed. (However, semi-honest parties do not collaborate.) We wish to 
have protocols that are secure even when parties are not thoroughly trusted, or in other words when the 
uncorrupted parties are semi-honest rather than honest. We say that a protocol 7’ is a semi-honest protocol 


‘ “appears as” an honest party running 7. We want the requirements 


for a protocol a if a party running 7 
from a to be satisfied even if the uncorrupted parties are running any semi-honest protocol for 7. (In the 
sequel we use the terms ‘semi-honest parties’ and ‘semi-honest protocols’ interchangeably. ) 

The difference between computations in the presence of totally honest parties and computations in the 
presence of semi-honest parties becomes evident in the presence of adaptive adversaries. Consider a party 
just corrupted by the adversary, during the course of the computation. If the party is totally honest, then 
the adversary will see exactly the data specified in the protocol (in particular, any data that was supposed 
to be erased will not be seen). If the party is semi-honest then the adversary may see a great deal of other 
data, such as all the past random choices of the party and all the messages the party ever received and 
sent. Therefore, the adversary may be much more powerful in the presence of semi-honest parties. We 
elaborate on this crucial point in the sequel. 

We distinguish three types of semi-honest behavior. The slightest deviation from the protocol is consid- 
ered to be refraining from erasing data. We call such parties honest-but-non-erasing, or in short non-erasing. 
Non-erasing behavior is a very simple deviation from the protocol, that is very hard to prevent. Even if 
the protocol is somehow protected against modifications, it is always possible to add an external device 


that copies all memory locations accessed by the protocol to a “safe” memory. This way a record of the 
entire execution is kept. Such an external device requires no understanding of the internal structure or of 
the behavior of the protocol. Furthermore, failure to erase data may occur even without intention of the 
honest party (e.g., the operating system examples above). 

A more severe deviation by a semi-honest party consists of executing some arbitrary protocol other than 
the specified one, with the restriction that no external test can distinguish between such a behavior and 
a truly honest behavior. We call parties that deviate in this way honest-looking. Honest-looking parties 
represent “sophisticated” parties that internally deviate from the protocol in an arbitrary way, but are 
not willing to take any chance that they will ever be uncovered (say, by an unexpected audit). Note that 
honest-looking parties can do other “harmful” things, on top of not erasing data. For instance, assume 
that some one-way permutation f : D+ D is known to all parties. When instructed to choose a value r 
uniformly in D, an honest-looking party can instead choose s uniformly in D and let r = f(s). Thus, the 
party cannot be trusted to not know f~'(r). (Other, more ‘disturbing’ deviations from the protocols are 
possible, we elaborate in the sequel.) 

An even more permissive approach allows a semi-honest party to deviate arbitrarily from the protocol, 
as long as its behavior appears honest to all other parties executing the protocol. Other external tests, not 
specified in the protocol, may be able to detect such a party as cheating. We call such semi-honest parties 
weakly-honest. 

The focus of our work is mainly on adaptive security in the presence of non-erasing parties (see Sec- 
tion 4). This coincides with the common interpretation of the problem of adaptive security. To the best 
of our knowledge, honest-looking and weakly-honest parties were not considered before. 


2.2 Adaptive security in the secure channels setting 


Although the emphasis of this paper is on the computational setting, we first present the state of knowledge, 
and sketch the problems involved, in the secure channels setting. We believe that understanding adaptively 
secure computation in the computational setting is easier when the secure channels setting is considered 
first. 

The state-of-the-art with respect to adaptive computation in the secure channels setting can be briefly 
summarized as follows. Adaptively secure protocols for computing any function exist in the presence 
of non-erasing parties (e.g., [BGW, CCD]). However, in contrast with popular belief, not every non- 
adaptively secure protocol is also adaptively secure in the presence of non-erasing parties. Furthermore, 
current techniques are insufficient for proving adaptive security of any protocol for computing a non-trivial 
function in the presence of honest-looking parties. 

In order to present the extra difficulty in constructing adaptively secure protocols, we roughly sketch 
the standard definition of secure multi-party computation. (Full definitions appear in Section 3.) Our 
presentation follows [MR, Bel, GwL, C], while incorporating the notion of semi-honest parties in the 
definition. The definition follows the same outline in the secure channels setting and in the computational 
settings. 


Background: How is security defined. First an ideal model for secure multi-party computation is 
formulated. A computation in this ideal model captures “the highest level of security we can expect from a 
multi-party computation”. Next we require that executing a secure protocol 7 for evaluating some function 
f of the parties’ inputs in the actual real-life setting is “equivalent” to evaluating f in the ideal model, 
where the meaning of this “equivalence” is explained below. 


A computation in the ideal model proceeds as follows. First an ideal-model-adversary chooses to corrupt 


a set of parties (either adaptively or non-adaptively), learns their input, and possibly modifies it. Next 
all parties hand their (possibly modified) inputs to an incorruptible trusted party. The trusted party then 
computes the expected output (i.e., the function value) and hands it back to all parties. At this stage 
an adaptive adversary can choose to corrupt more parties. Finally, the uncorrupted parties output the 
value received from the trusted party whereas the corrupted parties output some arbitrary function of the 
information gathered during this computation. 

In the real-life model there exists no trusted party and the parties must interact with one another using 
some protocol in order to compute any “non-trivial” function. We say that the execution of a protocol 7 
for evaluating f is “equivalent” to evaluating f in the ideal model, if for any adversary A in the real-life 
model, there exists an ideal-model-adversary S that has the same effect on the computation as A, even 
though S operates in the ideal model. That is, on any input, the outputs of the parties after running 7 in 
the real-life model in the presence of A should be distributed equally to the outputs of parties evaluating 
f in the ideal model in the presence of S. Furthermore, this condition should hold for any semi-honest 
protocol x’ for m (according to either of the above notions of semi-honesty). 

We require that the complexity of S be comparable to (i.e., polynomial in) the complexity of A. This 
requirement can be motivated as follows. Machine S represents “what could have been learned in the ideal 
model”. Thus, security of a protocol can be interpreted as the following statement: “whatever A can learn 
in the real-life model, could have been learned in the ideal model within comparable complexity”. A much 
weaker (and arguably unsatisfactory) notion of security emerges if the complexity of S does not depend 
on that of A. (This holds even in the non-adaptive case.)! 


Problems with proving adaptive security. <A standard construction of an ideal-model-adversary, S, 
operates via black-box interaction with the real-life adversary A. More specifically, let 7’ be a semi-honest 
protocol for zt. S runs the black-box representing A on a simulated interaction with a set of parties 
running z’. S corrupts (in the ideal model) the same parties that A corrupts in the simulated interaction, 
and outputs whatever A outputs. From the point of view of A, the interaction simulated by S should be 
distributed identically to an authentic interaction with parties running 7’. It is crucial that S be able to run 
a successful simulation based only on the information available to it in the ideal model, and in particular 
without knowing the inputs of uncorrupted parties. We restrict our presentation to this methodology of 
proving security of protocols, where S is restricted to probabilistic polynomial time. We remark that no 
other proof method is known in this context. In the sequel we often call the ideal-model-adversary S a 
simulator. 


Following the above methodology, the simulator that we construct has to generate simulated messages 
from the uncorrupted parties to the corrupted parties. In the non-adaptive case the set of corrupted parties 
is fixed and known to the simulator. Thus the simulator can corrupt these parties, in the ideal model, before 
the simulation starts. In the adaptive case the corrupted parties are chosen by the simulated adversary 
A as the computation unfolds. Here the simulator corrupts a party, in the ideal model, only when the 
simulated adversary decides on corrupting that party. Thus the following extra problem is encountered. 
Consider a currently uncorrupted party P. Since S does not know the input of P, it may not know which 


‘We illustrate this distinction via the following example. Let f(v,y) = g(* ® y) where g is a one-way permutation and 
&@ denotes bitwise exclusive or. Assume that parties A and B have inputs x and y respectively, and consider the following 
protocol for computing f: Party A announces 2, party B announces y, and both parties compute f(x,y). Our intuition is that 
this protocol is insecure against adversaries that may corrupt one party (say B): it “gives away for free” both x and y, whereas 
computing z given y and f(«,y), may take the adversary a large amount of time. Indeed, if the ideal-model adversary S is 
limited to probabilistic polynomial time (and one-way permutations exist), then this protocol is insecure against adversaries 
that corrupt one party. However, under the model allowing S unlimited computational power regardless of A’s complexity, 
this protocol is considered secure since S can invert g. 


messages should be sent by P to the corrupted parties. Still, S has to generate some dummy messages to be 
sent by the simulated P to corrupted parties. When the simulated adversary A later corrupts P it expects 
to see P’s internal data. The simulator should now be able to present internal data for P that is consistent 
with P’s newly-learned input and with the messages previously sent by P, according to the particular semi- 
honest protocol x’ run by P. It turns out that this can be done for the [BGW] protocols for computing 
any function in the presence of non-erasing parties. Thus, the [BGW] protocols are adaptively secure 
in the presence of non-erasing parties. Recall, however, that not every protocol which is secure against 
non-adaptive adversaries is also secure against adaptive adversaries (see example in the third paragraph of 
the Introduction). 


In face of honest-looking parties. Further problems are encountered when honest-looking parties are 
allowed, as demonstrated by the following example. Consider a protocol 9 that instructs each party, on 
private input o, to just publicize a uniformly and independently Chosen value r in some domain D and 
terminate. @ looks “harmless” in the sense that no information on the inputs leaks out. However, consider 
the following honest-looking variant of @. Let fo, f, be a claw-free pair of permutations over D. Then, 
on input o € {0,1}, an honest-looking party can ‘commit’ to its input by publicizing f,(r) instead of 
publicizing r. If this honest-looking variant of 6 is shown secure via an efficient black-box simulation as 
described above, then the constructed simulator can be used to find claws between fo and f,. Similar 
honest-looking variants can be constructed for the [BGW, CCD] protocols. Consequently, if claw-free pairs 
of permutations exist then adaptive security of the [BGW, CCD] protocols, in the presence of honest- 
looking parties, cannot be proven via black-box simulation. In fact, such honest-looking variants can be 
constructed for any “non-trivial” protocol, with similar effects. 


2.3 Adaptive security in the computational setting 


We sketch the extra difficulty encountered in constructing adaptively secure protocols in the computational 
setting, and outline our solution for non-erasing parties. Consider the following folklore methodology 
for constructing secure protocols in the computational setting. Start with an adaptively secure protocol 7 
resilient against non-erasing parties in the secure channels setting, and construct a protocol 7 by encrypting 
each message using a standard encryption scheme. We investigate the security of 7 in the computational 
setting. 


Proving that 7 is non-adaptively secure. We first sketch how 7 can be shown non-adaptively secure 
in the computational setting, assuming that 7 is non-adaptively secure in the secure channels setting. Let 
S be the ideal-model-adversary (simulator) associated with a in the secure channels setting. (We assume 
that S operates via “black-box simulation” of the real-life adversary A as described above.) We wish to 
construct, in the computational setting, a simulator S for #. The simulator S operates just like S, with 
two exceptions. First, In the computational setting the real-life adversary expects the messages sent to 
corrupted parties to be encrypted. Next, the real-life adversary expects to see the ciphertexts sent between 
uncorrupted parties. (In the secure channels setting the adversary does not see the communication between 
uncorrupted parties. ) S will imitate this situation as follows. First each message sent to a corrupted party 
will be appropriately encrypted. Next, the simulated uncorrupted parties will exchange dummy ciphertezts. 
(These dummy ciphertexts can be generated as, say, encryptions of the value ‘0’.) The validity of simulator 
S can be shown to follow, in a straightforward way, from the validity of S and the security of the encryption 
scheme in use. 


Problems with proving adaptive security. When adaptive adversaries are considered, the construc- 
tion of a simulator S in the computational setting encounters the following additional problem. Consider 
an uncorrupted party P. Since S does not know the input of P, it does not know which messages should 
be sent by P to other uncorrupted parties.? Still, S has to generate dummy ciphertexts to be sent by 
the simulated P to uncorrupted parties. These dummy ciphertexts are seen by the adaptive adversary. 
When the adversary later corrupts the simulated P, it expects to see all of P’s internal data, as specified 
by the semi-honest protocol x’. Certainly, this data may include the cleartexts of all the ciphertexts sent 
and received by P in the past, including the random bits used for encryption and decryption, respectively. 
Thus, it may be the case that some specific dummy ciphertext c was generated as an encryption of ‘0’, and 
the simulated P now needs to “convince” the adversary that c is in fact an encryption of ‘1’ (or vice versa). 
This task is impossible if a standard encryption scheme (i.e., an encryption scheme where no ciphertext 
can be a legal encryption of both ‘1’ and ‘0’) is used. 

We remark that Feldman, and independently Beaver and Haber, have suggested to solve this problem 
as follows [F, BH]. Instruct each party to erase (say, at the end of each round) all the information involved 
with encrypting and decrypting of messages. If the parties indeed erase this data, then the adversary will no 
longer see, upon corrupting a party, how past messages were encrypted and decrypted. Thus the problem 
of convincing the adversary in the authenticity of past ciphertexts no longer exists. Consequently, such 
“erasing” protocols can be shown adaptively secure in the computational setting. However, this approach 
is clearly not valid in the presence of semi-honest parties. In particular, it is not known whether the [F, BH] 
protocols (or any other previous protocols) are secure in the presence of non-erasing parties. 


Sketch of our solution. We solve this problem by constructing an encryption scheme that serves as an 
alternative to standard encryption schemes, and enjoys an additional property roughly described as follows. 
One can efficiently generate dummy ciphertexts that can later be “opened” as encryptions of either ‘0’ 
or ‘1’, at wish. (Here the word ‘ciphertext’ is used to denote all the information seen by the adversary 
during the execution of the protocol.) These dummy ciphertexts are different and yet computationally 
indistinguishable from the valid encryptions of ‘0’ (or ‘1’) produced in a real communication. We call such 
encryption protocols nen-committing.? 


Let € (resp., €) denote the distribution of encryptions of the value 0 (resp., 1) in a public-key 
encryption scheme. For simplicity, suppose that each of these distributions is generated by applying an 
efficient deterministic algorithm, denoted A (resp., A“), to a uniformly selected n-bit string. In a 
traditional encryption scheme (with no decryption errors) the supports of € and €“ are disjoint (and 
€, € are computationally indistinguishable). In a non-committing encryption scheme, the supports 
of € and € are not disjoint but the probability that an encryption (of either ‘0’ or ‘1’) resides in 
their intersection, denoted J, is negligible. Thus, decryption errors occur only with negligible probability. 


€ amb 


However, the simulator can efficiently generate a distribution which assumes values in J so that this 


distribution is computationally indistinguishable from both € and €“. ° Furthermore, each “ambiguous 
ciphertext” c € I is generated together with two random looking n-bit strings, denoted rp and r,, so that 
AM(r9) = AY(r,) = c. That is, the string ro (resp., r,) may serve as a witness to the claim that ¢ is an 


? There is also the easier problem of generating the messages sent by P to corrupted parties. This was the problem discussed 
in the previous subsection. However, our hypothesis that S is a simulator for the secure channel model means that S is able 
to generate these cleartext messages. Thus, all that S needs to do is encrypt the messages it has obtained from S. 

° This “non-committing property” is reminiscent of the “Chameleon blobs” of [BCC]. The latter are commitment schemes 
where the recipient of a commitment c can generate by himself de-commitments of c to both 0 and 1, whereas the sender is 
“effectively committed” to a specific bit value. 

* Each of these algorithms is also given an n-bit encryption key. 

>Consequently, it must be that EO and € are computationally indistinguishable. Thus, a non-committing encryption 
scheme is also a secure encryption scheme in the traditional sense. 


encryption of ‘0’ (resp., ‘1’). See Section 3.4 for a definition of non-committing encryption protocols. 

Using a non-committing encryption protocol, we resolve the simulation problems which were described 
above. Firstly, when transforming a into 7, we replace every bit transmission of 7 by an invocation of 
the non-committing encryption protocol. This allows us to generate dummy ciphertexts for messages sent 
between uncorrupted parties so that at a later stage we can substantiate for each such ciphertext both the 
claim that it is an encryption of ‘0’ and the claim that it is an encryption of ‘1’. We stress that although 
dummy ciphertexts appear with negligible probability in a real execution, they are computationally in- 
distinguishable from a uniformly generated encryption of either ‘0’ or ‘1’. Thus, using a non-committing 
encryption protocol we construct adaptively secure protocols for computing any (recursive) function in the 
computational model in the presence of non-erasing parties. Finally, we construct a non-committing en- 
cryption protocol based on a primitive called common-domain trapdoor systems (see Definition 4.3). We 
also describe two implementations based on the RSA and Diffie-Hellman assumptions respectively. Thus, 
we get 


Theorem 2.1 Jf common-domain trapdoor systems exist, then there exist secure protocols for computing 
any (recursive) function in the computational setting, in the presence of non-erasing parties and adaptive 
adversaries that corrupt less than a third of the parties. 


We remark that, using standard constructions (e.g., [RB]), our protocols can be modified to withstand 
adversaries that corrupt less than half of the parties. 


Dealing with honest-looking parties. In Section 5, we sketch a solution for the case of honest-looking 
parties, assuming, in addition to the above, also the existence of a “trusted dealer” at a pre-computation 
stage. We stress that this result does not hold if an initial (trusted) set-up is not allowed. 


3 Definitions 


In Section 3.1 we define semi-honest protocols (with respect to the three variants discussed in Section 2.1). 
This notion underlies all our subsequent definitions. In Sections 3.2 and 3.3 we define adaptively secure 
multi-party computation in the secure channels and the computational settings, respectively. Although the 
focus of this work is the computational setting, we state this definition also in the secure channels setting. 
This will enable us to discuss our results as a general transformation from adaptively secure protocols in the 
secure channels setting into adaptively secure protocols in the computational setting, without getting into 
details of specific protocols. In Section 3.4 we define our main tool, non-committing encryption protocols. 
Throughout Section 3 we assume that the reader has acquired the intuition provided in Section 2. 


Let us first recall the standard definition of computational indistinguishability of distributions. 


Definition 3.1 Let A = {Az}eefor;+ and B = {Br}reso1;+ be two ensembles of probability distributions. 
We say that A and B are computationally indistinguishable if for every positive polynomial p, for every 
probabilistic polynomial-time algorithm D and for all sufficiently long x’s, 
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|Prob( D(A,) = 1) — Prob( D(B,) = 1)| < mle) 


We colloquially say that “A, and B, are computationally indistinguishable”, or “A, © B,”. 


3.1 Semi-honest protocols 


We define semi-honest parties (or, equivalently, semi-honest protocols) for the three alternative notions 
of semi-honesty discussed in Section 2.1. First we define honest-but-non-erasing (or in short non-erasing) 
protocols. Informally, a protocol z’ is non-erasing for a protocol 7, if x’ is identical to 7 with the exception 
that 7’ may omit instructions to erase data. Actually, it suffices to consider a non-erasing protocol which 
keeps a record of the entire history of the computation. 


Definition 3.2 Let « and a’ be n-party protocols. We say that 1m’ is a non-erasing protocol for a if 1’ is 
identical to x with the exception that, in addition to the instructions of 7, protocol r' copies the contents 
of each memory location accessed by x to a special record tape (inaccessible by 7). 


Next we define honest-looking protocols. Informally, a party is honest-looking if its behavior is indistin- 
guishable from the behavior of an honest party by any external test. (Internally the party may arbitrarily 
deviate from the protocol.) More formally, let com,(@,7) denote the communication among n parties run- 
ning 7 on input % and random input 7 (2; and r; for party P;). Let com,(#) denote the random variable 
describing coM,(#,7) when 7 is uniformly chosen. For n-party protocols p and 7 and an index 7 € [n], let 
P/ti,x) denote the protocol where party P; executes 7 and all the other parties execute p. 


Definition 3.3 Let a and x’ be n-party protocols. We say that x’ is a perfectly honest-looking protocol for 
n if for any input @, for any n-party “test” protocol p, and for any index i € [n], we have 


=, d > 
COMp,,, (2) = COMp,,, 1)(£) 


(where = stands for “identically distributed”). If the test protocol p is restricted to probabilistic polynomial 
time, and COMp,, (2) x COMp <1) (£), then we say that 1’ is a computationally honest-looking protocol 
for x. 


Here the “test” protocol p represents a collaboration of all parties in order to test whether P; is honest. 


Next we define weakly-honest protocols. Here we require that Definition 3.3 is satisfied only with respect 
to the original protocol 7, rather than with respect to any test protocol p. 


Definition 3.4 Let a and x' be n-party protocols. We say that x' is a perfectly weakly-honest protocol for 
x if for any input & and for any index i € [n], we have 


COM, (#) = COMg)(i,29(2) 


If x is restricted to probabilistic polynomial time, and if coM,(#) Pe COMg/(,2)(£), then we say that r' is 
a computationally weakly-honest protocol for 7. 


3.2 Adaptive security in the secure channels setting 


We define adaptively secure multi-party computation in the secure channels setting. That is, we consider 
a synchronous network where every two parties are connected via a secure communication link (i.e., the 
adversary does not see, nor alter, messages sent between uncorrupted parties). The adversary is computa- 
tionally unlimited. 

We use the standard methodology presented in Section 2.2. That is, the execution of a protocol for 
computing some function is compared to evaluating the function in an ideal model, where a trusted party 
is used. We substantiate the definition in three steps. First, we give an exact definition of this ideal 
model. Next, we formulate our (high level) notion of ‘real-life’ protocol execution. Finally, we describe 
and formalize the method of comparing computations. 


The computation in the ideal model, in the presence of an ideal-model-adversary S, proceeds as fol- 
lows. The parties have inputs # = 2,...2, € D” (party P; has input x;) and wish to compute f(21,...,2n), 
where f is a predetermined function.° The adversary S has no initial input, and is parameterized by t, the 
maximum number of parties it may corrupt. 


First corruption stage: First, S proceeds in up to ¢ iterations. In each iteration S may decide to corrupt 
some party, based on S’s random input and the information gathered so far. Once a party is corrupted 
its internal data (that is, its input) becomes known to S. A corrupted party remains corrupted for 
the rest of the computation. Let B denote the set of corrupted parties at the end of this stage. 


Input substitution stage: S may alter the inputs of the corrupted parties; however, this is done without 
any knowledge of the inputs of the good parties. Let b be the | B|-vector of the altered inputs of the 
corrupted parties, and let 7 be the n-vector constructed from the input # by substituting the entries 
of the corrupted parties by the corresponding entries in b. 


Computation stage: The parties hand ¥ to the trusted party (party P; hands y,), and receive f(7) from 
the trusted party.’ 


Second corruption stage: Now that the output of the computation is known, S proceeds in another 
sequence of up to t—|B| iterations, where in each iteration S may decide to corrupt some additional 
party, based on S’s random input and the information gathered so far (this information now includes 
the value received from the trusted party by parties in B). We stress that S may corrupt at most ¢ 
parties in the entire computation. 


Output stage: The uncorrupted parties output f(y), and the corrupted parties output some arbitrary 
function, computed by the adversary, of the information gathered by the adversary (i.e., b and f(¥)). 
We let the n-vector IDEAL;,5(@) = IDEAL; s(Z),...IDEALss(£), denote the outputs of the parties on 
input @, trusted party for computing f, and adversary S (party P; outputs IDEAL; s(2);). 


For the benefit of formalistic readers we further formalize the above discussion (in Definitions 3.5 through 
3.7). Other readers are advised to skip a page up to the paragraph discussing the computation in the 
real-life setting. 


First, we need two technical notations. 


e For a vector # = x,...2, and a set B C [n], let &g denote the vector %, projected on the indices in 


B. 


e For an n-vector # = 2...2%,, a set B C [n], and a |B|-vector 6 = b,... Bip), let @/(, 5) denote 
the vector constructed from vector ¢ by substituting the entries whose indices are in B by the 
corresponding entries from b. 


Definition 3.5 Let D be the domain of possible inputs of the parties, and let R be the domain of possible 
random inputs. A t-limited ideal-model-adversary is a quadruple S = (t,b,h,O), where: 


e tis the maximum number of corrupted parties. 


° A more general formulation allows different parties to compute a different functions of the input. Specifically, in this case 
the range of f is a n-fold Cartesian product and the interpretation is that the i'® party should get the i'" component of f(#). 

” Tn the case where each party computes a different function of the inputs, as discussed in the previous footnote, the trusted 
party will hand each party its specified output. 
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e b:[n|*x D* xR = [n]U{L} is the selection function for corrupting parties (the value L is interpreted 
as “no more parties to corrupt at this stage”) 


e h:[n|* x D* x R — D* is the input substitution function 


e O: D* x R = {0,1}* ts an output function for the bad parties. 
The set of corrupted parties is now defined as follows. 


Definition 3.6 Let D be the domain of possible inputs of the parties, and let S = (t,b,h, O) be a t-limited 
ideal-model-adversary. Let # € D” be an input vector, and let r © R be a random input for S. The ith set 
of faulty parties in the ideal model B“(z,r), is defined as follows. 


e BOE, r) =¢ 
e Let b; S b( BO(Z, 7), Bpwan)s?)- For0 <i <t, and as long as b; £1, let 


BOM Er) S BO, r)U {b)} 


e Let i* be the minimum between t and the first i such that b; =L. Let bi = b(B©(2,r), Tawar) f(Y)s7), 


where ¥ is the substituted input vector for the trusted party. That is, 7 E[ (BO Er) BOE) F yo) wy 
Fort <i <t, let 
BOD (zr) 2 BO, r) Ul. 


In Definition 3.7 we use B® instead of BO(z,r). 


Definition 3.7 Let f : D” — D’' for some sets D, D’ be the computed function, and let # © D” be an 
input vector. The output of computing function f in the ideal model with adversary S = (t,b,h,O), on input 
& and random input r, is an n-vector IDEAL; s(@) = IDEAL; s(@),...IDEALs s(£), of random variables, 
satisfying for every 1<ai<n: 


. _ | f(y) if i¢ BY 
IDEAL ss (2); = O(fp0,f(9).7) if ie BO 


where B™ is the t™ set of faulty parties, r is the random input of S, and 7 = t/ (Bo wBO,@ 
substituted input vector for the trusted party. 


r)) is the 


B(t) 


Computation in the real-life setting. Next we describe the execution of a protocol 7 in the real- 
life scenario. The parties engage in a synchronous computation in the secure channels setting, running 
a semi-honest protocol a’ for 7 (according to any one of the notions of semi-honesty defined above). A 
computationally unbounded ¢-limited real-life adversary may choose to corrupt parties at any point during 
the computation, based on the information known to the previously corrupted parties, and as long as at 
most ¢ parties are corrupted altogether. Once a party is corrupted the current contents of its memory 
(as determined by the semi-honest protocol 7’) becomes available to the adversary. From this point on, 
the corrupted party follows the instructions of the adversary. Once the computation is completed, each 
uncorrupted party outputs whatever it has computed to be the function value. Without loss of generality, 
we use the convention by which the corrupted parties output their entire view on the computation. The 
view consists of all the information gathered by the adversary during the computation. Specifically, the 
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view includes the inputs and random inputs of the corrupted parties and all the communication seen by 
the corrupted parties. 

We use the following notation. Let VIEW, 4(@,7) denote the view of the adversary A when interacting 
with parties running protocol 7 on input @ and random input F (a; and r; for party P;), as described 
above. Let EXEC,4(%,7); denote the output of party P; after running protocol 7 on input % = 2,...2%, 
and random input * = r,...r,, and with a real life adversary A. (By the above convention, we have 
EXEC, 4(2,7); = VIEW,,4(2,7) for corrupted parties P;.) Let EXEC, 4(%); denote the random variable 
describing EXEC, 4(Z,7); where 7 is uniformly chosen. Let EXEC, 4(%) = EXEC, 4(@)1...EXECz 4(2)n.- 


Comparing computations. Finally we require that executing a secure protocol a for evaluating a 
function f be equivalent to evaluating f in the ideal model, in the following sense. 


Definition 3.8 Let f be an n-ary function, 7 be a protocol for n parties and T a type of semi-honest 
behavior (i.e., as in any of the Definitions 3.2 through 3.4). We say that a t-securely computes f in the 
secure channels setting, in the presence of T-semi-honest parties and adaptive adversaries, if for any T- 
semi-honest protocol x’ for x and for any t-limited real-life (adaptive) adversary A, there exists a t-limited 
ideal-model-adversary S, such that the complexity of S is polynomial in the complexity of A, and for every 
input vector & we have 

IDEAL ss (£) = EXEC, (2) 


Remark: Definition 3.8 is stated for a single value of n. In order to discuss asymptotic complexity (in 7), 
we assume that the function f, the protocol 7, the simulator S and the adversary A are Turing machines 
that have n, the number of parties, as part of their inputs. 


Black-box simulation. In the sequel we use a more restricted notion of equivalence of computations, 
where the ideal-model adversary is limited to black-box simulation of the real-life setting. That is, for 
any semi-honest protocol 7’ for 7 there should exist a ideal-model adversary S with oracle (or black-box) 
access to a real-life adversary. This black-box represents the input-output relations of the real-life adversary 
described above. For concreteness, we present the following description of the “mechanics” of this black- 
box, representing a real-life adversary. The black-box has a random tape, where the black-box expects to 
find its random input, and an input-output tape. Once a special start input is given on the input-output 
tape, the interaction on this tape proceeds in iterations, as follows. Initially, no party is corrupted. In 
each iteration J, first the black-box expects to receive the information gathered in the /th round. (In the 
secure channels setting this information consists of the messages sent by the uncorrupted parties to the 
corrupted parties.) Next black-box outputs the messages to be sent by the corrupted parties in the /th 
round. Next, the black-box may issue several ‘corrupt P;’ requests. Such a request should be answered 
by the internal data of P;, according to protocol x’. Also, from this point on P; is corrupted. At the end of 
the interaction, the output of the real-life adversary is defined as the contents of the random tape succeeded 
by the history of the contents of the input-output tape during the entire interaction. We let S4 denote 
the ideal-model adversary S with black-box access to a real-life adversary A. 

The simulator is restricted to probabilistic polynomial time (where each invocation of the black-box is 
counted as one operation).® Furthermore, we limit the operation of the simulator as follows. We require 
that the start message is sent only once, and that no party is corrupted in the ideal model unless a request 
to corrupt this party is issued by the black-box. 


’For simplicity, we assume that the computed function is polynomially computable. Alternatively, the simulator is poly- 
nomial in the complexity of the function. 
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If Definition 3.8 is satisfied by an ideal-model adversary limited to black-box simulation as described 
above, then we say that a ¢-securely computes f in a simulatable way. In this case we call the ideal-model 
adversary a black-box simulator, or in short a simulator. 

We remark that the only purpose of the technical restrictions imposed on the operation of the simulator 
is to facilitate proving composition theorems (such as Theorem 4.2). We stress that the security of known 
protocols (e.g., [BGW]) can be shown via simulators that obey these restrictions. 


3.3. Adaptive security in the computational setting 


We now turn to define adaptively secure multi-party computation in the computational setting. Here 
the communication links between parties are insecure; that is, all messages sent on all links are seen 
by the adversary.® All parties, as well as the adversary, are restricted to probabilistic polynomial time. 
Furthermore, we introduce a security parameter, determining ‘how close’ a real-life computation is to a 
computation in the ideal model. All parties are polynomial also in the security parameter. For simplicity 
of presentation, we identify the security parameter and the length of the inputs with the number of parties, 
denoted n. 

The framework of defining adaptively secure multi-party computation in this setting is the same as in 
the secure channels setting (Section 3.2). That is, we compare the real life computation with a computation 
in the same ideal model. Since the real-life adversary is restricted to probabilistic polynomial time, so is the 
ideal-model adversary. The execution of a protocol 7 in the real-life scenario (of the computational setting), 
as well as the notation EXEC, 4(£), are the same as in the secure channels setting, with the exception that 
the real-life adversary sees all the communication between the uncorrupted parties. Needless to say that 
the ideal model is the same in both settings. 

We define equivalence of a real-life computation to an ideal-model computation in the same way, 
with the exception that here we only require that the corresponding distributions are computationally 
indistinguishable. Black-box simulation is defined as in the secure channels setting, with the exception 
that the information gathered by the adversary in each round includes the communication between all 
parties. 


Definition 3.9 Let f be an n-ary function, r be a protocol for n parties and T a type of semi-honest 
behavior (i.e., as in any of the Definitions 3.2 through 3.4). We say that a t-securely computes f in the 
computational setting, in the presence of T-semi-honest parties and adaptive adversaries, if for any T- 
semi-honest protocol x' for x and for any t-limited real-life (adaptive) adversary A, there exists a t-limited 
ideal-model-adversary S, such that for every input vector € we have 


IDEAL s(@) & EXEC, 4(@). 
If S is restricted to black-box simulation of real-life adversaries, as described above, then we say that 7 
t-securely computes f in a simulatable way in the computational scenario. 
3.4 Non-committing encryption 


We present a concise definition of a non-committing encryption protocol in our multi-party scenario. 
First define the bit transmission function BTR : {0,1,L}" — {0,1,L}". This function is parameterized 
by two identities of parties (i.e., indices s,r € [n]), with the following interpretation. BTR, , describes 


°For simplicity we assume that the links are authenticated, namely the adversary cannot alter the communication. Authen- 
ticity can be achieved via standard primitives. 
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the secure transmission of a bit from party P, (the sender) to party P, (the receiver). That is, for 
E=21,...,Up € {0,1, L}” let 


BTR, ,(Z) x, if i=r 
£); = ; 
sree | otherwise 


where BTR, ,(Z); is the i*" component of the vector BTR, .(%). We are interested in input vectors @ where 
a, (i.e., the senders input) is in {0,1}. All other inputs are assumed to be L. 


Definition 3.10 Let s,r € [n] and s # r. A protocol ¢ is a t-resilient (in the presence of T-semi- 
honest parties and adaptive adversaries), non-committing encryption protocol (from P, to P,.) if ¢ t-securely 
computes BTR,,, ina simulatable way, in the computational model, in the presence T -semi-honest parties 
and an adaptive adversary. 


It may not be immediately evident how Definition 3.10 corresponds to the informal description of non- 
committing encryptions, presented in Section 2.3. A closer look, however, will show that the requirements 
from the simulator associated with a non-committing encryption protocol (according to Definition 3.10) 
imply these informal descriptions. In particular, in the case where the simulated adversary corrupts the 
sender and receiver only after the last communication round, the simulator has to first generate some 
simulated communication between the parties, without knowing the transmitted bit. (This communication 
serves as the “dummy ciphertext”.) When the sender and/or the receiver are later corrupted, the simulator 
has to generate internal data that correspond to any required value of the transmitted bit. 


4 Non-erasing parties 


We show that any recursive function can be securely computed in the computational setting, in the presence 
of adaptive adversaries and non-erasing parties. In Subsection 4.1 we show how, using a non-committing 
encryption protocol, a simulatable protocol for computing some function f in the computational setting 
can be constructed from any simulatable protocol for computing f in the secure channels setting. In 
Subsection 4.2 we present our construction of non-committing encryption. We use the following result as 
our starting point: 


Theorem 4.1 The [BGW, CCD] protocols for computing any function of n inputs are ([$] — 1)-securely 
computable in a simulatable way, in the secure channels setting, in the presence of non-erasing parties and 
adaptive adversaries.'° 


4.1 Adaptive security given non-committing encryption 


The following theorem formalizes the discussion in Section 2.3. 


Theorem 4.2 Let f be an n-ary function, t <n and a be a protocol that t-securely computes f in a sim- 
ulatable way in the secure channels setting, in the presence of non-erasing parties and adaptive adversaries. 
Suppose that ¢,, 1s a t-resilient non-committing encryption protocol, resilient to non-erasing parties and 
adaptive adversaries, for transmission from P, to P,. Let 7 be the protocol constructed from a as follows. 
For each bit o transmitted by x from party P, to party P,, protocol x invokes a copy of a é,, for transmit- 
tinga. Then @ t-securely computes f, in a simulatable way in the computational setting, in the presence of 
non-erasing parties and adaptive adversaries. 


°A security proof of the [BGW] construction can be extracted from [C, Chap. 3], which deals with the more involved 
asynchronous model. 
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Proof (sketch): Let a’ be a non-erasing protocol for 7 and let S be a simulator for a’ in the secure 
channels setting. For simplicity we assume that in protocol 7, as well as in the interaction generated by S, 
each party sends on bit to each other party in each round. Let 6 be the (computational-model) simulator 
that corresponds to the non-erasing protocol ¢’ for the non-committing encryption protocol ¢. Given these 
two different simulators, we construct a simulator S for protocol * in the computational setting. The 
simulator § will be a modification of S and will use several copies of 6 as subroutines. 

Recall that S is supposed to interact with a black-box representing a real-life adversary in the secure 
channels setting. That is, at each round S generates all the messages sent from uncorrupted parties to 
corrupted parties. Furthermore, whenever the black-box decides to corrupt some party P, machine S 
generates internal data for P which is consistent with P’s input and with the messages previously sent by 
P to corrupted parties. 

The simulator S, interacts with a black box representing an arbitrary real-life adversary in the compu- 
tational setting, denoted A. The simulator S is identical to S with the exception that for each bit sent in 
the interaction simulated by S, the simulator S invokes a copy of 6 and S incorporates the outputs of the 
various copies of 6 in its (i.e., S’s) communication with A. Likewise, S extracts the transmitted bits from 
the invocations of é corresponding to message transmissions from corrupted parties to uncorrupted ones. 
(The way S handles these invocation will be discussed below.) At this point we stress that A is the only 
adversary that S needs to simulate and to this end it “emulates” real-life adversaries of its choice for the 
copies of 6. In particular, when S asks to corrupt some party P, the simulator S corrupts the same party 
P. When S generates P’s view in the secure channel setting, S will complete this view into P’s view in 
the computational setting by using the various copies of 6. 

We describe how S handles the various copies of 6. As stated above, S emulates a real-life adversary 
for each copy of 6 using the communication tapes by which this copy is supposed to interact with its 
black-box/adversary. The information that 6 expects to receive form its black box is extracted, in the 
obvious manner, from the information that S receives from A. That is, S hands 6 the messages, sent by 
the corrupted parties, that are relevant to the corresponding invocation of ¢’. Furthermore, all the past 
and current requests for corrupting parties (issued by A) are handed over to 6. The partial view received 
from each copy of 6 is used in the emulation of the corresponding black-box (of this é-copy) as well as 
incorporated in the information handed by S to A. When A asks to corrupt some party P, the simulator 
S emulates a ‘corrupt P’ request to each copy of 6 and obtains the internal data of P in the corresponding 
sub-protocol ¢ which it (i.e., S) hands to A (along with the information obtained by S — the secure channel 
simulator). Finally, observe that 6 = é6,, (where P, and P, are the designated sender and receiver) also 
expects to interact with parties in the ideal-model. This interaction consists of issuing ‘corrupt’ requests 
and obtaining the internal data (of the ideal model). This interaction is (also) emulated by S as follows. 
Whenever 6 wishes to corrupt a party P which is either P, or P., the simulator S§ finds out which bit, o, 


i 
r,s 


was supposed to be sent in this invocation of ¢,, and passes a to 6,,. We stress that o is available to S 
since at this point in time P has already been corrupted and furthermore S (which mimics S) has already 
obtained P’s view in the secure channel setting. (Here we use Definitions 3.9 and 3.10 which guarantee 
that 6 corrupts a party only if this party is already corrupted by 6’s black box. We also use the fact that 
S is playing 6’s black box and is issuing a ‘corrupt P’ request only after receiving such a request from A 
and having simulated this corruption as S.) In case P is neither P, not P, the simulator S passes L (as 
P’s input) to 6. 

Let 7’ be a non-erasing protocol for # and A be as above (i.e., an arbitrary real-life adversary in the 
computational setting). We claim that S4 (i.e., the ideal-model adversary S with black-box access to A) 


properly simulates the execution of 7’. We need to show that for any adversary A and for any input € we 
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have 
IDEAL, ga(@) © EXECs, 4(@). 


Here we present only a rough sketch of the proof of this claim. The plan is to construct a real-life adversary 
A in the secure channels setting, and prove the following sequence of equalities by which the above claim 
follows: 

IDEAL; g4(2) = RAL; s4(£) S EXECy 4(#) © EXEC; 4(2) (1) 


Regardless of what A is, the second equality follows immediately from the hypothesis that S is a simulator 
for x’ (the non-erasing protocol for 7) in the secure channels setting. It remains to construct A so that 
the other two equalities hold. 

The real-life adversary A of the secure channel setting will operate via a simulation of A (the real-life 
adversary of the computational setting), imitating the simulation carried out by S. That is, for each bit 
communicated by 7, machine A will invoke a copy of 6 while emulating an adversary in accordance with A. 
In particular, A will be given all ciphertexts sent in the open as well as all internal data of corrupted parties 
(regardless if these parties were corrupted before, during or after the ‘real’ transmission). Furthermore, 
when A corrupts a party P, machine A corrupts P and hands A the internal data of P, along with the 
outputs of the relevant copies 6, just as S does. At the end of the computation A outputs whatever A 
outputs (that is, A outputs A’s view of the computation). It follows from the definition of A that the 
execution of S, with black-box access to A, is in fact identical to the execution of S with black-box access 
to A. Thus, IDEAL; g4(2) < 1DRAL;s4(£) which establishes the first equality in Eq. (1). 

It remains to show that EXEC, 4(#) © EXEC; 4(@). Essentially the difference between these two 
executions is that EXEC, 4(Z) is a real-life execution in the secure channel setting which is augmented by 
invocations of 6 (performed by A), whereas EXEC;, (2) is a real-life execution in the computational setting 
in which honest parties use the encryption protocol ¢’. However, the security of ¢ means that invocations 
of 6 are indistinguishable from executions by ¢’ (both in presence of adaptive adversaries). Using induction 


on the number of rounds, one thus establishes the last equality of Eq. (1). 


4.2 Constructing non-committing encryption 


Before describing our non-committing encryption protocol, let us note that one-time-pad is a valid non- 


1.1! The drawback of this trivial solution is that it requires an initial set-up in 


committing encryption protoco 
which each pair of parties share a random string of length at least the number of bits they need to exchange. 
Such an initial set-up is not desirable in practice and does not resolve the theoretically important problem 


of dealing with a setting in which no secret information is shared a-priori. 

Our scheme uses a collection of trapdoor permutations together with a corresponding hard-core pred- 
icate [BM, Y, GrL]. Actually, we need a collection of trapdoor permutation with the additional property 
that they are many permutations over the same domain. Furthermore, we assume that given a permutation 
f over a domain D (but not f’s trapdoor), one can efficiently generate at random another permutation f’ 
over D together with the trapdoor of f’. Such a collection is called a common-domain trapdoor system. 


Definition 4.3 A common-domain trapdoor system is an infinite set of finite permutations {fy 6: Dao mS 
Dahca,ajep, where PC {0,1}*x {0, 1}*, so that 


™ Assume that each pair of parties share a sufficiently long secret random string, and each message is encrypted by bitwise 
xor-Ing it with a new segment of the shared random string. Then Definition 3.10 is satisfied in a straightforward way. 
Specifically, the simulated message from the sender to the receiver (i.e., the dummy ciphertext), denoted c, can be uniformly 
chosen in {0,1}. When either the sender or the receiver are corrupted, and the simulator has to demonstrate that c is an 
encryption of a bit o, the simulator claims that the corresponding shared random bit was r= c@oa. Clearly r is uniformly 
distributed, regardless of the value of o. 
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e domain selection: There exists a probabilistic polynomial-time algorithm G, so that on input 1”, 
algorithm G', outputs a description a € {0,1}”" of domain Dy. 


function selection: There exists a probabilistic polynomial-time algorithm Gy so that on input a, 
algorithm Gy outputs a pair (9,t(3)) so that (a, 3) € P. (8 is a description of a permutation over 
D,, and t() is the corresponding trapdoor. ) 


domainsampling: There exists a probabilistic polynomial-time algorithm S that on input a, uniformly 


selects an element of Dy. 


function evaluation: There exists a polynomial-time algorithm F that on inputs (a, 3) € P and 
a € Dy, returns fy g(x). 


function inversion: There exists a polynomial-time algorithm I that on inputs (a,t(3)) and y € Da, 
where (a, 3) € P, returns fay) 


one-wayness: For any probabilistic polynomial-time algorithm A, the probability that on input (a, 3) € 
P and y = fag(«), algorithm A outputs x is negligible (in n), where the probability distribution is 
over the random choices of a = G,(1"), 9 = G2(a), « = S(a) and the coin tosses of algorithm A. 


Remarks: 


e The standard definition of trapdoor permutations can be derived from the above by replacing the 
two selection algorithms, G, and G2, by a single algorithm G that on input 1” generates a pair 
(3,t(3)) so that 6 specifies a domain Dg, as well as a permutation fs over this domain (and ¢(/3) is 
fs’s trapdoor). Thus, the standard definition does not guarantee any structural resemblance among 
domains of different permutations. Furthermore, it does not allow to generate a new permutation 
with corresponding trapdoor for a given domain (or given permutation). Nevertheless some popular 
trapdoor permutations can be formulated in a way which essentially meets the requirements of a 
common-domain trapdoor system. 


e Common-domain trapdoor systems can be constructed based on an arbitrary family of trapdoor per- 
mutations, { fg: Dz ane Dg}, with the extra property that the domain of any permutation, generated 
on input 1”, has non-negligible density inside {0,1}” (ie., |Ds| > paras - 2/81), We construct a 
common-domain family where the domain is {0,1}” and the permutations are natural extensions of 
the given permutations. That is, we let G,(1") = 1", G.(1") = G(1") and extend fs into gg so that 
ga(@) = fe(x) if e € Dg and gg(a) = x otherwise. This yields a collection of “common-domain” per- 
mutations, {gg :{0, 1}!4 > {0, 1}!91), which are weakly one-way. Employing amplification techniques 
(e.g., [Y, GILVZ]) we obtain a proper common-domain system. 


In the sequel we refer to common-domain trapdoor systems in a less formal way. We say that two one- 
way permutations, f, and f,, are a pair if they are both permutations over the same domain (i.e., a = (a, 1) 
and 6 = (a, 2), where the domain is D,). We associate the permutations with their descriptions (and 
the corresponding inverse permutations with their trapdoors). Finally, as stated above, we augment any 
common-domain trapdoor system with a hard-core predicate, denoted B. (That is, B is polynomial-time 
computable, but given (f, and) f,(a) is it infeasible to predict B(x) with non-negligible advantage over 


1/2.) 
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Outline of our scheme. The scheme consists of two stages. In the first stage, called the key generation 
stage, the parties arrive at a situation where the sender has two trapdoor permutations f,, /, of a common- 
domain system, the trapdoor of only one of which is known to the receiver. Furthermore, the simulator 
will be able to generate, in a simulated execution of the protocol, two trapdoor permutations with the 
same distribution as in a real execution and such that the trapdoors of both permutations are known. 
(The simulator will later open dummy ciphertexts as either ‘0’ or ‘1’ by claiming that the decryption key 
held by the receiver is either f7! or f;'. The correspondence between {0,1} and {a,b} will be chosen at 
random by the simulator and never revealed). The key generation stage is independent of the bit to be 
transmitted (and can be performed before this bit is even determined). 

Our most general implementation of this stage, based on any common-domain system, requires partic- 
ipation of all parties. It is described in Section 4.2.2. In the implementations based on the RSA and DH 
assumptions (see Section 4.3) the key-generation stage consists of only one message sent from the receiver 
to the sender. 

The second stage, in which the actual transmission takes place, consists of only one message sent from 
the sender to the receiver. This stage consists of encryption and decryption algorithms, invoked by the 
sender and the receiver respectively. 

We first present, in Section 4.2.1, the encryption and decryption algorithms as well as observations that 
will be instrumental for the simulation. In Section 4.2.2 we present the key generation protocol. (A reader 
that is satisfied with a construction based on specific number theoretic assumptions may, for simplicity, 
skip Section 4.2.2 and read Section 4.3 instead.) Finally we show that these together constitute the desired 
non-committing encryption protocol. 


4.2.1. Encryption and decryption 


Let f, and f, be two randomly selected permutations over the domain D, and let B be a hard-core predicate 
associated with them. The scheme uses a security parameter, k, which can be thought to equal log, |D]. 


Encryption: to encrypt a bit o € {0,1} with encryption key (f., f,), the sender proceeds as follows. 
First it chooses 71,...,%g, at random from D, so that B(a;) = o for 7 = 1,...,5k and B(a;) = l-o 
otherwise (i.e., for i = 544 1,...,8h). For each a; it computes y; = fa(a;). These x;’s (and y;’s) are 
associated with f, (or with a). Next, it repeats the process with respect to f,. That is, vgp4i,.--, 216% are 
chosen at random from D, so that B(a;) = o for i = 8k 4+ 1,...,13k and B(2;) = 1 - o otherwise, and 
yi = fo(a;) for i = 8k 41,...,164. The latter x;’s (and y;’s) are associated with f, (or with 5). Finally, 
the sender applies a random re-ordering (i.e., permutation) ¢ : [16k] — [16k] to y1,...,%16, and send the 
resulting vector, Yg(1),-++5Ys(16k), to the receiver. 


Decryption: upon receiving the ciphertext y,,..., ¥16%, When having private key f>' (where r € {a,b}), 
the receiver computes B(f7'(y1)),---, BUS '(y16x)), and outputs the majority value among these bits. 


Correctness of decryption. Let us first state a simple technical claim. 


Claim 4.4 For all but a negligible fraction of the a’s and all but a negligible fraction of permutation pairs 
f, and f, over D,, 


|Prob( B( fy '(fa(a))) = B(a)) - a is negligible (2) 


where the probability is taken uniformly over the choices of x € Dy. 
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Proof: Assume for contradiction that the claim does not hold. Then, without loss of generality, there 
exists a positive polynomial p so that for infinitely many n’s, we have 


. -1 _ -1 1 1 1 

Prob (I{y € Dy: BUS "(w)) = BUS (W))H > 5+ Soy) Pal) > 5 

when f, and f, are independently generated from a = G,(1"). This means that for these (a,a,b)’s 

B(f='(y)) gives a non-trivial prediction for B( fy '(y)). Intuitively this cannot be the case and indeed this 
lead to contradiction as follows. 

Given a = (a,3) € P and y € D, we may predict B( f7'(y)) as follows. First we randomly generate 

a new permutation. f,, over D,, together with its trapdoor. Next we test to see if indeed B(f7'(z)) 

is correlated with B( fy'(z)). (The testing is done by uniformly selecting polynomially many 2,’s in Da, 

computing z; = f,(a;), and comparing B(f7'(z;)) = B(a;) with B( fy '(%)).) Ifa non-negligible correlation 

is detected then we output B(f;'(y) (as our prediction for B( fz!(y))). Otherwise we output a uniformly 

selected bit. (Note that |Prob( B(«) = 1) — $| must be negligible otherwise a constant function contradicts 


the hard-core hypothesis. ) 


From this point on, we assume that the pair (f., f,) satisfies Eq. (2). 


Lemma 4.5 Let ¥ = y1,.--,Yi6r be a random encryption of a bit o. Then with probability 1 — 2-2) the 
bit decrypted from ¥ is oc. 


Proof: Assume without loss of generality that the private key is f7>'. Then, the receiver outputs the 
majority value of the bits B(f7'(y1)),---, BUf7"(yiex))- Recall that 8k of the y;’s are associated with f,. 
Out of them, 5k (of the y;’s) satisfy B(f7'(y;)) = B(a;) = 0, and 3k satisfy B( f7'(y;)) = B(a;) =1-o. 
Thus, the receiver outputs 1—o only if at least 54 out of the rest of the y,’s (that is, the y,;’s associated with 
fy) satisfy B( fz '(y)) = 1—o. However, Eq. (2) implies that |Prob( B( fz '(yi) = 7)—3$| is negligible for each 
y; associated with f,. Thus only an expected 4k of the y,’s associated with f, satisfy B(f7'(y,)) =1-—o. 
2k) 


Using a large deviation bound, it follows that decryption errors occur with probability 27 


Simulation assuming knowledge of both trapdoors. In Lemma 4.7 (below) we show how the sim- 
ulator, knowing the trapdoors of both f, and f,, can generate “dummy ciphertexts” 7= z,,..., 216, that 
can be later “opened” as encryptions of both 0 and 1. Essentially, the values B( f7'(z;)) and B( fy ‘(2)) 
for each z; are carefully chosen so that this “cheating” is possible. We use the following notations. Fix 
an encryption key (f., f,). Let the random variable A, = (0; %, 6; #17, f-') describe a legal encryption and 
decryption process of the bit o. That is: 


e@ = %,...,2 6, is a vector of domain elements chosen at random as specified in the encryption 
algorithm. 


e ¢is arandom permutation on [164]. 
e ¥=1,---, Yiee 18 generated from # and ¢ as specified in the encryption algorithm. 


e ris uniformly chosen in {a,b} and f-' is the inverse of f,. (Note that the decrypted bit is defined 
by the majority of the bits B( f7'(y:).) 


We remark that the information seen by the adversary, after the sender and receiver are corrupted, includes 
either Ao or Ay (but not both). 


Let us first prove a simple technical claim, that will help us in proving Lemma 4.7. Let BIN,, denote 
the binomial distribution over [m]. 
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Claim 4.6 There exists an efficiently samplable distribution js over {0,1,...,4k} so that the distribution 
fi constructed by sampling an integer from pe and adding 2k is statistically close to BINg,. That is, the 
statistical distance between ji and BINg, is 27%), 

Proof: Let BINs;,(i) denote the probability of i under BINg, (i-e., BINse(i) = (**) - 278"). We construct 
the distribution jy (over {0,1,...,44}) so that Prob(u=72) = BINg,(t + 2k) for 7 = 1,...,4n and Prob(j=0) 
equals the remaining mass of BINg, (i.e., it equals 77", BINge(7) + oe 6p 41 BINse(2))- 

It can be easily seen that each i € {2k 4. 1,...,64} occurs under f with exactly the same probability 
as under BINg,. Integers 7 such that i < 2k or i > 6k have probability 0 under ~ (whereas 2k is more 
likely to occur under fi than under BINg,). Thus, the statistical distance between ji and BINg; equals the 
probability, under BINg;, that 7 is smaller than 2k or larger than 6k. This probability is bounded by 27%), 


Lemma 4.7 Let (fa, f,) be the public key, and assume that both fr! and fy! are known. Then it is 
possible to efficiently generate 7, #, #0, 6%, AY), r©, rr, such that: 

1. (0; HH; 20), fh) & Yo. 

2. (1,8), bY, 2 r), fos) = Ay. 
Here & stands for ‘computationally indistinguishable’. We stress that the same dummy ciphertext, 7, 
appears in both (1) and (2). 
Proof: Before describing how the dummy ciphertext 7 and the rest of the data are constructed, we 
summarize, in Figure 1, the distribution of the hard-core bits, B(f7'(¥1)), ..., 0(F7"(qiex)) and 
B( fe (1), BUfy (yiex)), with respect to a real encryption Yo(1)>+++s York) Of the bit o = 0. Here 
BINg, denotes the distribution of the number of ‘1’s in B( fy '(y;)) for 7 = 1,...,8k. Eq. (2) implies that 
the statistical difference between BINg, and BINg, is negligible. The distribution of B(f7*(y;)) for ¢ = 
8k +1,...,16% is similar. Given only Ao (or only A,), only three-quarters of the B( f>'(y;))’s, ¢ € [164] and 


T= {1,...,8k} | P= {8k +1,..., 16k} 


Viel 
yoier BC fr" (y)) 
ier Bf, (vi) 


Figure 1: The distribution of the B( fz'(y;))’s with respect to Aj, where s € {a,b}. (The case of A; is 
similar, with the exception that 5k is replaced for 3k.) 


s € {a,b}, are known. Specifically, consider A, = (0; 7,0; 9; 7, f-'), and suppose that r = a. Then all the 
B(fz*(y:))’s can be computed using f7!. In addition, for i = 8k +1,...,16k, B( fy ‘(y:)) = B(a,) is known 
too. However, for 7 € [8k], B( fy ‘(y)) = BUfy' falz;))) is not known and in fact it is (computationally) 
unpredictable (from A,). A similar analysis holds for r = 5b; in this case the unpredictable bits are 
BUfo' (i) = BUfa folwi))) for i = 8h + 1,..., 16h. 

INITIAL CONSTRUCTION AND CONDITIONS: Keeping the structure of A, in mind, we construct 7, along 
with £9, @), 6, 6, r© and r“, as follows. First, we select uniformly a bijection, p, of {0,1} to {a,b} 
(i.e., either p(0) = a and p(1) = b or the other way around) and set r) = p(0) and r = p(1). Next, we 
choose, in the way described below, two binary vectors 7°) = 41), .. 7} and ¥) = VY), .. ae We 
choose random values %1,..., 0g, such that 7{° = B(fxo)( i) and 7{) = BU fry (v)), for each i € [16k]. 
We uniformly select a permutation ~ over [16k] and let the permuted vector vyc1),-.., Upci6e) be the dummy 
ciphertext 7 = (%,.--,Z16e). It remains to determine 6 and 6, which in turn determine 7° and x) 
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so that 2{” = fz" (46@)-1«)) for i € [8k] and a? = fy '(Z6@uy) otherwise. This should be done so 
that both permutations 6° and ¢ are uniformly (but not necessarily independently) distributed and so 
that the known B(f>!(y$”))’s match the distribution seen in a legitimate encryption of a. We stress that 
(0,8, A; 77, fro) should appear as a valid encryption of o. In particular, for each o € {0,1} there 
should exist a permutation 7'%) (= (#')~! 0 d) over [16k] so that’? 


1. MOS? = BUT Moyo) = BUT Gee) = Bla”) = o, for i= 1,..., 5k. 
(E.g., if p(0) = a this means Woe) =o.) 


2. Weoruy = BUF (vey) = BUF (Zoe)) = B(@y”) = 1a, for i = 5k + 1,..., 8h. 


a a 


(E.g., if p(0) = a this means Wen =1l-o.) 


3. Vile, = BU (ueny)) = BUy (Zea) = BC”) = , for i= 8k + 1,..., 13k. 
(E.g., if p(0) = a this means Weve) =o.) 


4. Wingy) = BUy (pena) = BUe Zp) = BOY) = 1 =, for 1 = 13h +1, ..., 16k. 


(E.g., if p(0) = a this means Weve) =1l-o.) 


5. Let £ = [8k] if p(o) = b and J = {8k + 1,..., 16k} otherwise. Then, Woe = B( fra) (wore) = 
B( fi5) (Zea) = BU fxh)(Foa0)(@s”))) equals o with probability negligibly close to 4, for i € J. 
(E.g., for p(0) = a and o = 0 we have Prob(e0 (5 = 1) & ¢ for i = 8k + 1,..., 16k, whereas for 
p(0) =a and o = 1 we have Prob(7¢ =1)% $ fori =1,..., 8k.) 

This allows setting 6) = wo (W)-+ so that Ce 
tributed (i.e, 2} = fo (yen) = fr (Ze -eQ8)) = Se (2 eer)-105)) for # € [8k] and 21 = fr '(ZeGy) 
otherwise). 

INITIAL SETTING OF 7, FY, YO ann w™: The key issue is how to select 7 and 7 so that the five 
condition stated above hold (for both o = 0 and o = 1). As a first step towards this goal we consider the 


is “mapped” to z; while ¢ is uniformly dis- 


four sums 
det (p~*(a)) def — (p~*(8)) det (p~*(8)) def — (p~*(a)) 
¢ de “la go de —lip o de l(b o de “la 
sy = Wor) , 32 = » Wor) , 53 = ye Wye) , C= > Myers) 
t=1 t=8k4+1 t=1 t=8k4+1 


The above conditions imply $7 = S¥ = 5k-a¢+3k-(1—c) = 3k + 2ko as well as SZ 5 BINg, if p(o) = b 
and S{ = BiNg, otherwise. (Note that $3,57 and BINg, are random variables.) 

To satisfy the above summation conditions we partition [16k] into 4 equal sized subsets denoted 
Lh, Io, 13,1, (e-g., = [Ak], bb = {4k +1,....8k}, Ip = {8k + 1,...,12k} and L, = {12k + 1,...,16h}). 
This partition induces a similar partition on the 46%s and the yrs, The rg and the 4s in each set 
are chosen using four different distributions which satisfy the conditions summarized in Figure 2. Suppose 
p(0) =a. Then, we may set 7 ([8k]) = Uy and p({8k +1,..., 16k}) = UL, and p([8k]) = Us 
and PU ({8k+1,...,16k}) = InUL,, where (I) = J means that the permutation 7 maps the elements of the 
set I onto the set J. (It would have been more natural but less convenient to write ()-1(Z, U Is) = [8k] 


"2 Tn each of the following five conditions, the first equality is by the construction of the v;’s, the second equality is by the 
definition of the z;’s, and the third equality represents the relation between gO), Zand go that holds in a valid encryption (of 
a). In conditions (1) through (4), the last equality represents the relation between z” and o that holds in a valid encryption 
of o. In condition (5), the last equality represents the information computable from 7 using (the trapdoor) ft): Here we 


(@)> 


refer to the inverses of the z;’s which are not x;°’’s. The hard-core value of these inverses should be uniformly distributed. 
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Figure 2: The distribution of the y°’s and ys. (yu is as in Claim 4.6.) 


and (b)-!(1, U4) = {8k + 1,16k}.) We claim that, for each o € {0,1}, the above setting satisfies the 
three relevant summation conditions. Consider, for example, the case o = 0 (depicted in Figure 3). Then, 


T= (1,...,8k} = (W)C U ty) bE 1,..., 16k} = (bf) U Ty) 


= | $9 =3k+0=3k 


no condition 


Figure 3: Using b the {0s and 4{s satisfy the summation conditions $°, 5° and $°. 


a 


50 = yk 46 = 3k and $2 = eee I” = 3k as required. Considering S? = eee Yh” we observe 
that it is distributed as 2k+y = fi (of Claim 4.6) which in turn is statistically close to BINg,. We stress that 
the above argument holds for any way of setting the ws as long as they obey the equalities specified (e.g., 
for any bijection  : I; Uy + 1, UIs, we are allowed to set WO) = x(t) for all i€ ,UI,). The case o = 1 
follows similarly; here St = Diierur, 40 = 5k, SL = iehmul 4) = 5k and $i = ieruls 4) = p+2k (see 


Figure 4). In case p(0) = b we set p([8k]) = Ig UL, VO({8k + 1,..., 16k}) = UL, PO([8k]) = UL 


T= {1,...,8k} = (o)-1(h, Ug) | P= {8k +.1,..., 164} = (bP) UL) 
Si = 3k + 2k = 5k no condition 


Si = p+ 2k S BINg, St =4k +k =5k 


Figure 4: Using b the 7{0"s and y{s satisfy the summation conditions $1, 5} and $2. 


a 


and PY({8k + 1,...,16k}) = I, UIs. The claim that, for each o € {0,1}, the above setting satisfies the 
three relevant summation conditions, is shown analogously. 

REFINEMENT oF FO), FY, PO and oO: However, the above summation conditions do not guarantee 
satisfaction of all the five conditions. In particular, we must use permutations © which guarantee the 
correct positioning visible bits within the 8k-bit long block. That is, we must have 


Oyo ete) = (= o0)) 
(i len(seery 9 Werden) = (0*,(1—a)") 


that is, equality between the sequences and not merely equality in the number of 1’s. Clearly there is no 
problem to set the #’s so that these equalities hold and thus Conditions (1) through (4) are satisfied. It 
is left to satisfy Condition (5). 

Suppose that p(o) = a. In this case the third summation requirement guarantees iseet Wyo) = 


BINg,. This is indeed consistent with the requirement that these Wev'8 are almost uniformly and in- 


dependently distributed. But this is not sufficient. In particular, we also need Dies Wey = BiNs,, 
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where J = {8k <i < 16k: Woe = 1—o} and furthermore the above sum needs to be independent of 


yeeey 


o = 0. In this case we need 


Soy”) 5 BiNa., (3) 


ied 
where J= {ie l,Ul,: af? = 1}, and this sum needs to be independent of ;¢;,u7,_3 4, By Figure 2 


we have |J N J3| = 2k. We further restrict the distributions 0g and Us so that in part J; the four 
possible outcomes of the pairs (40, 98?) are equally likely (e.g., for exactly & integers i € I; we have 
(96°, 9$?) = (0,0)). Consider J’ = J 0 Ly (note |J’| = k). To satisfy Eq. (3) we construct a random 
variable yu’ € {0,1,...,4} (analogously to Claim 4.6) so that p; 2 Prob(y’ = 7) = BINg.(k + 7) for 7 € [A] 


(with the rest of the mass on py’ = 0) and constrain the 4's to satisfy Prob()oyey) VO = J) = p;. We get 


ies 40 = k+! © BiNs, (analogously to Claim 4.6). A minor problem occurs: the new restriction on the 


(0)5 
Vi 
of yu’ (the reason being that ys’ + ww” should be distributed equally to w). However this condition has a 
(0)5 


negligible effect since we can sample yp’ and p and set the 7; 


case jt < pt’ which happens with negligible probability (since Prob(j < pi’) < Prob(u < k) = 27%), 


s conditions }?je7,5) 4(° which we want to be distributed as some jx” £ BINs, —2k and independently 


s accordingly, getting into trouble only in 


The case o = 1 gives rise to the requirement 


Soy? © BIN, (4) 


ied 


where J= {2 € 1, Us: 4 = 0}, and this sum needs to be independent of Osepur,-7 yi), To satisfy 


Eq. (4) we restrict the ys in JS In analogously to satisfy 7.7) 4 = yw’. Finally, we observe that 
(> 


generating the Vrs and 7; ’’s at random so that they satisfy the above requirements makes them satisfy 
Condition (5). 

BEYOND THE FIVE CONDITIONS. In the above construction we have explicitly dealt with conditions which 
obviously have to hold for the construction to be valid. We now show that indeed this suffices. Namely, 


we claim that 
(0; 89,8; 29, FID) BA, = (03 8,6; 957, f'). (5) 


Consider the case ¢ = 0. Both r and r are uniformly chosen in {a,b} and so we consider, w.l.o.g., 
r = r = a. Furthermore, 6 is a random permutation and fave’) = zg) fori = 1,...,8k, and 
fila”) = zg) for 2 = 8k + 1,...,16k, which matches the situation w.r.t ¢, % and y. It remains to 
compare the distributions of B(f>!(-))’s, s € {a,b}, with respect to # and with respect to 7 By 
the above analysis we know that the entries corresponding to s = a and to (s = b)A (i < 8k) are 
distributed similarly in the two cases. Thus, we need to compare B(fy'(fa(2,’’))), .. BUFr(fala@@))) 


and B( fy *(fa(t1))),-- BUS (fa(@se))). Recall that the a,’s are selected at random subject to B(z;) = 0 
(0), 


a 


for? = 1,...,54 and B(a;) = 1 for 7 = 54 4.1,...,8k. An analogous condition is imposed on the « 
but in addition we also have BFP (fal 2s))) = 1 for 2 = 1,...,44, and some complicated conditions on 


BC fr (fa(ao))) = 1, for i = 4k+1,..., 8k (Le., the distribution of 1’s here is governed by js and furthermore 
in the first k elements the number of 1’s is distributed identically to py’). Thus, distinguishing 7 from 7) 
amounts to distinguishing, given f,, f,: D+ D and the trapdoor for f, (but not for f,), between the two 


distributions 


1. (uy,...,Usz), Where the u,;’s are independently selected so that B(u;) = 0 if 2 € [54] and B(u;) = 1 
otherwise; and 


2. (w1,..., Wx), Where the w,’s are uniformly selected under the conditions 
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e B(w;) = 0 if t € [5k] and B(u;) = 1 otherwise, 

B( fy '(fa(w;))) = 1 for i € [4k], 

eran B fy *(fa(i))) =p’, and 

© Diese BUfy (fa(ws))) = w", for some pl” = po pl. 


We claim that distinguishing these two distributions yields a contradiction to the security of the hard-core 
predicate B. Suppose, on the contrary that an efficient algorithm A can distinguish these two distributions. 
Using a hybrid argument we construct an algorithm A’ which distinguishes the the uniform distribution 
over D! © {2 ED: B(«) = 7} and a distribution over D’ that is uniform over both D4 2 {ee D': 
BC fr '(falv))) = 0} and Di = {a € D': BU fy '(fa(w))) = 1}, where r is a bit which can be efficiently 
determined. (We stress that the latter distribution is not uniform on D’ but rather uniform on each 
of its two parts.) Without loss of generality, we assume 7 = 0. It follows that A’ must distinguish 
inputs uniformly distributed in Dj from inputs uniformly distributed in D)|. We now transform A’ into 
an algorithm, A”, that distinguishes a uniform distribution over {y € D: B( fy ‘(y)) = 0} from a uniform 
distribution over {y € D: B( fy '(y)) = 1}. On input y € D, and f,: D+ D, algorithm A” first generates 
another permutation f,, over D, together with the trapdoor for f,. Next, it computes « = f7'(y) and 
stop (outputting 0) if B(z) = 1 (ie., « ¢ D’). Otherwise, A”, invokes A’ on x and outputs A’(z). In 
this case B( fy '(fa(z))) = BUfy (y)) (and B(x) = 0) so the output will be significantly different in case 
B( fy ‘(y))) = 0 and in case B(f;'(y))) = 1. We observe that Prob( B(7) = 0) 4 (otherwise a constant 
function violates the security of B), and conclude that one can a random y with B(f;‘(y)) = 0 from a 
random y with B(fy'(y)) = 1 (which contradicts the security of B). 


4.2.2 Key generation 


We describe how the keys are generated, based on any common-domain trapdoor system. We use Oblivious 
Transfer [R, EGL] in our constructions. Oblivious Transfer (OT) is a protocol executed by a sender $' 
with inputs s; and s2, and by a receiver R with input 7 € {1,2}. After executing an OT protocol, the 
receiver should know s,, and learn nothing else. The sender $ should learn nothing from participating in 
the protocol. In particular $ should not know whether R& learns s, or s.. We are only concerned with the 
case where R is uncorrupted and non-erasing. 

We use the implementation of OT described in [GMW] (which in turn originates in [EGL]). This 
implementation has an additional property, discussed below, that is useful in our construction. For self 
containment we sketch, in Figure 5, the [GMW] protocol for OT of one bit. 

It can be easily verified that the receiver outputs the correct value of o, in Step 4. Also, if the receiver 
is semi-honest in the non-erasing sense, then it cannot predict o3_, with more than negligible advantage 
over $. '8 The sender view of the interaction is uncorrelated with the value of r € {1,2}. Thus it learns 
nothing from participating in the protocol. 

The important additional property of this protocol is that, in a simulated execution of the protocol, 
the simulator can learn both o, and a, by uniformly selecting 21,22 € D, and having the receiver R 
send f(z), f(z.) (in Step 2). Furthermore, if R is later corrupted, then the simulator can “convince” 
the adversary that R received either o, or o2, at wish, by claiming that in Step 2 party R chose either 
(a1, %2) = (1, f(22)) or (a1, 2) = (f(%1), 22), respectively. 

In Figure 6 we describe our key generation protocol. This protocol is valid as long as at least one party 
remains uncorrupted. 


This statement does not hold if R is semi-honest only in the honest-looking sense. Ironically, this ‘flaw’ is related to the 
useful (non-committing) feature discussed below. 
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Oblivious Transfer (OT) 


The parties proceed as follows, using a trapdoor-permutations generator and the associated hard-core pred- 
icate B(). 


1. On input 01,0 € {0,1}, the sender generates a one-way trapdoor permutation f : D — D with its 
trapdoor f~!, and sends f to the receiver. 


. On input 7 € {1,2}, the receiver uniformly selects x1, 72 € D, computes y, = f(a,), sets y3s_, = @3_7, 
and sends (y1, yz) to the sender. 


. Upon receiving (y1, yz), the sender sends the pair (01 6 B(f~'(y1)), 72 6 B(f~1(y2))) to the receiver. 


. Having received (5), b2), the receiver outputs s, = b, © B(x) (as the message received). 


Figure 5: The [GMW] Oblivious Transfer protocol 


key-generation (€¢) 


For generating an encryption key (fa, fs) known to the sender, and a decryption key f;' known only to the 


receiver (2), where r is uniformly distributed in {a, 5}. 


. The receiver generates a common domain D, and sends a to all parties. 


. Each party P; generates two trapdoor permutations over Dy, denoted fg, and f,,, and sends (fa,, fs,) 
to R. The trapdoors of fa, and f,, are kept secret by P;. 


. The receiver R chooses uniformly 7 € {1,2} and invokes the OT protocol with each party P; for a 
number of times equal to the length of the description of the trapdoor of a permutation over a. In 
all invocations the receiver uses input 7. In the j*® invocation of OT, party P; acting as sender uses 
input (01,02), where o; (resp., 72) is the j*® bit of the trapdoor of fa, (resp., fs,). (Here we use the 
convention by which, without loss of generality, the trapdoor may contain all random choices made by 
G2 when generating the permutation. This allows R to verify the validity of the data received from 


P;.) 


. Let H be the set of parties with which all the OT’s were completed successfully. Let fa, be the 
composition of the permutations f,,’s for P; € H, in some canonical order, and let f, be defined 
analogously (e.g., a is the concatenation of the a; with i € H). Let r= aif = 1 and r = 6 otherwise. 
The trapdoor to f, is known only to R (it is the concatenation of the trapdoors obtained in Step 3). 


. R now sends the public key (fa, fp) to the sender. 


Figure 6: The key generation protocol 


4.2.3 Simulation (Adaptive security of the encryption protocol) 


Let ¢ denote the combined encryption and decryption protocols, preceded by the key generation protocol. 


Theorem 4.8 Protocol ¢ is an (n — 1)-resilient non-committing encryption protocol for n parties, in the 
presence of non-erasing parties. 
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Proof (sketch): Let P,. be the sender and let P, be the receiver. Recall that a non-committing encryption 
protocol is a protocol that securely computes the bit transmission function, BTR, ,,in asimulatable way. Let 
e’ be a non-erasing protocol for e. We construct a simulator S such that IDEALBTR, ,.54(@) £ Exec. 4(o), 
for any (n — 1)-limited adversary A and for any input o € {0,1} of P,. 

The simulator S proceeds as follows. First an invocation of the key generation protocol ¢g is simulated, 
in such a way that S knows both trapdoors f7! and f;'. (This can be done using the additional property 
of the [GMW] Oblivious Transfer protocol, as described above.) For each party P that A corrupts during 
this stage, S hands A the internal data held by P in the simulated interaction. We stress that as long as 
at least one party remains uncorrupted, the adversary knows at most one of f7', f;'. Furthermore, as 
long as P, remains uncorrupted, the adversary view of the computation is independent of whether P, has 
fz! or fy’. 

Once the simulation of the key generation protocol is completed, S instructs the trusted party in the 
ideal model to notify P, of the function value. (This value is P,’s input, o.) If at this point either P, 
or P, is corrupted, then S gets to know the encrypted bit. In this case S generates a true encryption 
of the bit o, according to the protocol. If neither P, nor P, are corrupted, then S generates the values 
2, FO), FVGO), AY, 7 OD as in Lemma 4.7, and lets 7 be the ciphertext that P, sends to P, in the 
simulated interaction. 

If at this stage A corrupts some party P which is not the sender or the receiver, then S hands A the 
internal data held by P in the simulated interaction. If A corrupts P,, then S corrupts P, in the ideal 
model and learns o. Next S hands A the values #7), ¢(” for P,’s internal data. If A corrupts P., then S 
corrupts P, in the ideal model, learns o, and hands A the value fre for P,’s internal data. 


The validity of the simulation follows from Lemma 4.7 and from the properties of the [GM W] Oblivious 


Transfer protocol. 


4.3. Alternative implementations of non-committing encryption 


We describe two alternative implementations of our non-committing encryption scheme, based on the RSA 
and DH assumptions, respectively. These implementations have the advantage that the key generation 
stage can be simplified to consist of a single message sent from the receiver to the sender. 


An implementation based on RSA. We first construct the following common-domain trapdoor sys- 
tem. The common domain, given security parameter n, is {0,1}”. A permutation over {0,1}” is chosen as 
follows. First choose a number N uniformly from [2"~!...2"], together with its factorization (via Bach’s 
algorithm [B]). Next choose a prime 2” < e < 2"t!. (This way, we are assured that gced(e,é(N)) = 1, 
where ¢() is Euler’s totient function, even if the factorization of N is not known.) Let fy(a) = x*(mod N) 
if~ < N and fy(a) = & otherwise. With non-negligible probability N is a product of two large primes. 
Thus, this construction yields a collection of common-domain permutations which are weakly one-way. 
Employing an amplification procedure (e.g., [Y, GILVZ]) we obtain a proper common-domain system. 

This common-domain trapdoor system can be used as described in Section 4.2. However, here the key- 
generation stage can be simplified considerably. Observe that it is possible to choose a permutation from 
the above distribution without knowing its trapdoor. Specifically, this is done by choosing the numbers N of 
the different instances of fy in the direct way, without knowing their factorization. Thus, the receiver will 
choose two trapdoor permutations f,, f,, where only the trapdoor to f, (i.e., f7') is known, r €, {a,b}. 
Both f,, fp are now sent to the sender, who proceeds as in Section 4.2.1. In a simulated execution the 
simulator will choose both f, and f, together with their trapdoors.'4 


' A similar idea was used in [DP]. 


26 


An implementation based on DH. Consider the following construction. Although it fails to satisfy 
Definition 4.3, it will be ‘just as good’ for our needs. The common domain, given security parameter n, 
is a prime 2”-' < p < 2” where the factorization of p— 1 is known. Also, a generator g of Z, is fixed. 
p and g are publicly known. All computations are done modulo p. To choose a permutation over Z>, 
choose an element v €, 27, and let f,(«) = 2°. The public description of f, is y S g’. The ‘trapdoor’ is 
u = v-!(mod p— 1). 


This construction has the following properties: 


e Although it is hard to compute f, if only p,g,y are known, it is easy to generate random elements 
t €y Z together with f,(x): choose z €, 2%, and set x = g* and f,(x) = y*. (This holds since 
f(@jse ag’ =y’.) 


e If w is known then it is easy to compute f>'(2) = a". 


An algorithm A that inverts f, given only p,g,y can be easily transformed into an algorithm A’ that 
given p,g,g*,g° outputs g® (that is, into an algorithm that contradicts the Diffie-Hellman (DH) 
assumption). Specifically, Assume that A(p,g,g’,2”) = x. Then, on input p,g,g°%,g’, algorithm A’ 
will run A(p, 9%, 9,9") to obtain g®’. 


It is possible to choose a permutation from the above distribution without knowing its trapdoor. 
Specifically, this is done by uniformly choosing numbers y €, Z% until a generator is found. (It is 
easy to decide whether a given y is a generator of Z* when the factorization of p— 1 is known.) 


Note that both in the encryption process and in the simulation it is not necessary to compute the 
permutations f on arbitrary inputs. It suffices to be able to generate random elements x in the domain 
together with their function value f(a). Thus, this construction is used in a similar way to the previous 
one. 


A concluding remark to Section 4. Our solutions for non-erasing parties may appear somewhat unsat- 
isfactory since they are based on ‘trusting’ the receiver to choose trapdoor permutations without knowing 
the trapdoor, whereas the permutation can be chosen together with its trapdoor by simple ‘honest-looking’ 
behavior. Recall, however, that if honest-looking parties are allowed then no (non-trivial) protocol can be 
proven adaptively secure (via black-box simulation if claw-free pairs exist). We do not see a meaningful 
way to distinguish between the ‘honest-looking behavior’ that foils the security of our constructions and 
the ‘honest-looking behavior’, described in Section 2.2, that foils provability of the adaptive security of any 
protocol. 


5 Honest-looking parties 


Our construction for honest-looking parties assumes the existence of a “trusted dealer” at a pre-computation 
stage. The dealer chooses, for each party P, a truly random string rp, and hands rp to P, to be used as 
random input. (We call rp a certified random input for P.) Next, the dealer generates n — 1 shares of rp, 
so that rp can be reconstructed from all n — 1 shares, but any subset of n — 2 shares are independent of 
rp. Finally the dealer hands one share to each party other than P. 

Now, all parties are able to jointly reconstruct rp, and thus verify whether P follows its protocol. 
Consequently, if party P is honest-looking (i.e., P does not take any chance of being caught cheating), 
then it is forced to use rp exactly as instructed in the protocol. Party P is now limited to non-erasing 
behavior, and the construction of Section 4 applies. (We note that the use of certified random inputs 
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does not limit the simulator. That is, upon corruption of party P, the simulator can still compute some 
convenient value r to be used as P’s random input, and then “convince” the adversary that the certified 
random input of P was rp. The adversary will not notice anything wrong since it will never have all the 
shares of the certified random input.) 
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